def generate_key_and_cert(): signing_key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) # private_key = signing_key.private_bytes( # crypto_serialization.Encoding.DER, # crypto_serialization.PrivateFormat.PKCS8, # crypto_serialization.NoEncryption()) # public_key = signing_key.public_key().public_bytes( # crypto_serialization.Encoding.DER, # crypto_serialization.PublicFormat.PKCS1 # ) # Various details about who we are. For a self-signed certificate the # subject and issuer are always the same. subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), x509.NameAttribute(NameOID.COMMON_NAME, u"example.com"), ]) signing_cert = x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(signing_key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( datetime.utcnow()).not_valid_after( # Our certificate will be valid for 10 days datetime.utcnow() + timedelta(days=10) # Sign our certificate with our private key ).sign(signing_key, hashes.SHA256(), crypto_default_backend()).public_bytes( crypto_serialization.Encoding.DER) return signing_key, signing_cert
def _make_key_cert_pair(self): logging.debug("Auth: Creating server credentials") private_key = rsa.generate_private_key( backend=crypto_default_backend(), public_exponent=65537, key_size=2048) public_key = private_key.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, self.hostname), ])) builder = builder.issuer_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, self.hostname), ])) builder = builder.not_valid_before(datetime.datetime.today() - day) builder = builder.not_valid_after(datetime.datetime.today() + EXPIRE_TIME) builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(public_key) alt_names = [] if self.ip_info.ip4_address != None: alt_names.append( x509.IPAddress(ipaddress.IPv4Address( self.ip_info.ip4_address))) builder = builder.add_extension(x509.SubjectAlternativeName(alt_names), critical=True) certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=crypto_default_backend()) ser_private_key = private_key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption()) ser_public_key = certificate.public_bytes( crypto_serialization.Encoding.PEM) self.server_pub_key = ser_public_key self.server_private_key = ser_private_key
def write_ssh_keys(path): # Write ssh keys in path directory and return public and private paths key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) private_key = key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption(), ).decode("utf-8") public_key = (key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH, ).decode("utf-8")) pub_path = os.path.join(path, "id_rsa.pub") priv_path = os.path.join(path, "id_rsa") with open(pub_path, "w") as pub: pub.write(public_key) with open(priv_path, "w") as priv: priv.write(private_key) os.chmod(pub_path, 0o600) os.chmod(priv_path, 0o600) return (os.path.join(path, "id_rsa.pub"), os.path.join(path, "id_rsa"))
def generate_key(key_path): # generate private/public key pair key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) # get public key in OpenSSH format public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH) # get private key in PEM container format private_key = key.private_bytes( encoding=crypto_serialization.Encoding.PEM, format=crypto_serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=crypto_serialization.NoEncryption()) if not os.path.exists(os.path.dirname(key_path)): os.makedirs(os.path.dirname(key_path)) with open(key_path, "w") as text_file: text_file.write(private_key.decode("utf-8")) with open(key_path + '.pub', "w") as text_file: text_file.write(public_key.decode("utf-8")) text_file.write(" autogenerated vacation tool " + datetime.datetime.now().isoformat(timespec='minutes'))
def generate_keypair(tempdir, name): """Generate an ssh keypair, and write to the tempdir.""" key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=4096) private_key = key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption(), ).decode() public_key = (key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH, ).decode()) with open("{}/{}".format(tempdir, name), mode="w") as priv_key: priv_key.write(private_key) os.chmod("{}/{}".format(tempdir, name), 0o600) with open("{}/{}.pub".format(tempdir, name), mode="w") as pub_key: pub_key.write(public_key) return ("{}/{}.pub".format(tempdir, name), "{}/{}".format(tempdir, name))
def public_key_from_serialized_key(self, serialized_key: bytes): """Set the public key, by deserialize the serialized public key.""" self._public_key = serialization.load_pem_public_key( serialized_key, backend=crypto_default_backend() ) return self._public_key
def genattackerkeys(): sysRoot = os.path.expanduser('~') dest_path = sysRoot + "/Documents/keysafe" try: os.makedirs(dest_path, 0o777, exist_ok=True) except OSError as err: dest_path = os.getcwd() print("Creation of destination failed. Current directory is :" % dest_path) except FileExistsError: print("Attacker files exist. Quitting without creating new keys.") print("Delete following folder and try again: " % dest_path) else: privkeypathstring = dest_path + '/private.pem' pubkeypathstring = dest_path + '/public.pem' private_key = rsa.generate_private_key( backend=crypto_default_backend(), public_exponent=65537, key_size=2048 ) public_key = private_key.public_key() public_key_pem = public_key.public_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PublicFormat.SubjectPublicKeyInfo ) private_key_pem = private_key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption()) with open(privkeypathstring, 'wb') as f: f.write(private_key_pem) with open(pubkeypathstring, 'wb') as f: f.write(public_key_pem)
def init_key(self): if self.ssh_custom_key: return for filename in os.listdir(self.config.get('local', 'data_dir')): if not filename.startswith('yakey') or not os.path.isfile( os.path.join(self.config.get('local', 'data_dir'), filename)): continue key_path = os.path.join(self.config.get('local', 'data_dir'), filename) self.key_name = key_path.split(os.sep)[-1] pmk_key = RSAKey.from_private_key_file(key_path) logging.info('LOADED KEY %s' % key_path) break else: self.key_name = self.get_rnd_name('yakey') key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) pmk_key = RSAKey(key=key) key_path = os.path.join(self.config.get('local', 'data_dir'), self.key_name) pmk_key.write_private_key_file(key_path) logging.info('WRITTEN KEY %s' % key_path) self.public_key = "%s %s" % (pmk_key.get_name(), pmk_key.get_base64()) self.ssh_custom_key = {'pkey': pmk_key} if self.yascheduler: self.yascheduler.ssh_custom_key = self.ssh_custom_key
def generate_key_pair(self): private_key = rsa.generate_private_key( backend=crypto_default_backend(), public_exponent=self.public_exponent, key_size=self.key_size) return private_key, private_key.public_key()
def generate_key(): """ Generates and adds a key to the SSH agent. """ key = rsa.generate_private_key( backend=crypto_default_backend(), public_exponent=65537, key_size=4096, ) private_key = key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption(), ).decode() public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH, ).decode() with tempfile.NamedTemporaryFile(suffix='-ssha-temporary-key') as temp_key: os.chmod(temp_key.name, 0o600) with open(temp_key.name, 'w') as open_file: open_file.write(private_key) os.system('ssh-add -t 60 {}'.format(temp_key.name)) return public_key
def readKeyFile(self, filename): try: with open(filename, 'rb') as f: data = f.read() print('Existing key in {}'.format(filename), file=sys.stderr) return load_pem_private_key(data,backend=crypto_default_backend(),password=None) except (ValueError,FileNotFoundError,EOFError): return None
def generate_private_key(private_key_path, public_exponent=65537, key_size=2048): """Generate a private key in 'CONFIG_PATH/ssl/server.key'. Parameters ---------- private_key_path : str Path where the private key will be generated. public_exponent : int, optional Key public exponent. Default `65537` key_size : int, optional Key size. Default `2048` Returns ------- RSAPrivateKey Private key. """ key = rsa.generate_private_key(public_exponent, key_size, crypto_default_backend()) with open(private_key_path, 'wb') as f: f.write( key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption())) os.chmod(private_key_path, 0o400) return key
def get_public_save_private_key(): key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH) private_key = key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.TraditionalOpenSSL, crypto_serialization.NoEncryption()) with open(PUBLIC_KEY, 'wb') as f: f.write(public_key) with open(PRIVATE_KEY, 'wb') as f: f.write(private_key) # Set read and write permission for user only os.chmod(PUBLIC_KEY, 0o0600) os.chmod(PRIVATE_KEY, 0o0600) return public_key
def generateKey(n): pbar = tqdm(total=3, position=None) pbar.set_description("Generating Private Key") key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=KEY_SIZE) pbar.update() pbar.set_description("Extracting Private Key") pbar.update() PRIVATE_KEY = key.private_bytes( encoding=crypto_serialization.Encoding.PEM, format=crypto_serialization.PrivateFormat.PKCS8, encryption_algorithm=crypto_serialization.BestAvailableEncryption( KEY_PASSPHRASE), ).decode() pbar.set_description("Extracting Public Key") pbar.update() PUBLIC_KEY = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH).decode() #tqdm.write("PRIVATE_KEY={}".format(PRIVATE_KEY)) #tqdm.write("PUBLIC_KEY={}".format(PUBLIC_KEY)) tqdm.write("{} is complete. Generated {} bytes of key data.".format( n, len(PUBLIC_KEY) + len(PUBLIC_KEY)))
def generate_ssh_key() -> Tuple[str, str]: """Generate public and private ssh keys.""" key = rsa.generate_private_key( backend=crypto_default_backend(), # type: ignore public_exponent=65537, key_size=4096, ) private_key = str( key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ), "utf8", ) public_key = str( key.public_key().public_bytes( encoding=serialization.Encoding.OpenSSH, format=serialization.PublicFormat.OpenSSH, ) + b" {{ cookiecutter.author_email }}", "utf8", ) return private_key, public_key
def lambda_handler(event,context): try: if event['RequestType'] == 'Create': # Generate keys new_key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) priv_key = new_key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption() ) pub_key = new_key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH ) print(priv_key) print(pub_key) # Encrypt private key kms = boto3.client('kms',region_name=event["ResourceProperties"]["Region"]) enc_key = kms.encrypt(KeyId=event["ResourceProperties"]["KMSKey"],Plaintext=priv_key)['CiphertextBlob'] f = open('/tmp/enc_key','wb') f.write(enc_key) f.close() # Upload priivate key to S3 s3 = boto3.client('s3') s3.upload_file('/tmp/enc_key',event["ResourceProperties"]["KeyBucket"],'enc_key') else: pub_key = event['PhysicalResourceId'] cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, pub_key) except: traceback.print_exc() cfnresponse.send(event, context, cfnresponse.FAILED, {}, '')
def __init__(conf: Configuration, name: str): from cryptography.hazmat.primitives import serialization as crypto_serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.backends import default_backend as crypto_default_backend ostack = OpenStack(conf) key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) private_key = key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat. TraditionalOpenSSL, # PKCS8 is not supported best by paramiko crypto_serialization.NoEncryption()) public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH) keyBuilder = VMKeyPairItemBuilder() \ .set_name(name) \ .set_private_key(private_key) \ .set_public_key(public_key) _create_key(conf, ostack, keyBuilder)
def create_ssh_keypair(size=2048): """ Make a new ssh keypair of a given size :param: size (optional, defaults to 2048). How many bits large should the key be? :return: UTF-8 strings representing the public key and private key in that order """ from cryptography.hazmat.primitives import serialization as crypto_serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.backends import default_backend as crypto_default_backend key = rsa.generate_private_key( backend=crypto_default_backend(), public_exponent=65537, key_size=size, ) private_key = key.private_bytes(crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption()) public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH) return public_key.decode('utf-8'), private_key.decode('utf-8')
def GenKeys(Logger: object, KeyLength: int = 8192 ): # Generates A Set Of RSA Keys For SSH Encryption # ''' Generates a new keypair for encrypting CLI traffic. This should generate a keypair of kength 8192 bits by default, however the KeyLength argument can be specified to set another length. *Please don't use this function unless you know what you're doing!* ''' Logger.Log( f'Generating New Pub/Private Key Pair Of Length {KeyLength} Characters, Using The RSA Method' ) KeyPair = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=KeyLength) PrivateKey = KeyPair.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.TraditionalOpenSSL, crypto_serialization.NoEncryption()) PublicKey = KeyPair.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH) Logger.Log('Generated Keypair') return PublicKey, PrivateKey
def _create_db_ro_nsrs(self, nsr_id, now): try: key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) private_key = key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption()) public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH) private_key = private_key.decode('utf8') public_key = public_key.decode('utf8') except Exception as e: raise NsException("Cannot create ssh-keys: {}".format(e)) schema_version = "1.1" private_key_encrypted = self.db.encrypt(private_key, schema_version=schema_version, salt=nsr_id) db_content = { "_id": nsr_id, "_admin": { "created": now, "modified": now, "schema_version": schema_version }, "public_key": public_key, "private_key": private_key_encrypted, "actions": [], } self.db.create("ro_nsrs", db_content) return db_content
def generate_sshkey(self, user: User, key_name: str, service_key=False): """ Generate an SSH key to save in the database. The private key is returned and not saved in the database. """ key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) private_key = key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.TraditionalOpenSSL, crypto_serialization.NoEncryption()).decode("utf-8") public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH).decode("utf-8") self.name = key_name self.public_key = public_key self.service_key = service_key try: key_obj = self.store_key(user, key_name, public_key) except KeyNameAlreadyExists: raise except PublicKeyAlreadyExists: raise return key_obj, private_key
def ssh_keygen(type: str = 'rsa', decode2str: bool = True): # very handy SSH prv/pub keygen # references: # - https://stackoverflow.com/a/39126754 # - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed25519.html if type == 'rsa': key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=crypto_default_backend()) _key_private = key.private_bytes( encoding=crypto_serialization.Encoding.PEM, format=crypto_serialization.PrivateFormat.PKCS8, encryption_algorithm=crypto_serialization.NoEncryption()) _key_public = key.public_key().public_bytes( encoding=crypto_serialization.Encoding.OpenSSH, format=crypto_serialization.PublicFormat.OpenSSH) dict_keygen = { 'prv_fname': "id_{:s}".format(type), 'prv_key': _key_private.decode('UTF-8') if decode2str else _key_private, 'pub_fname': "id_{:s}.pub".format(type), 'pub_key': _key_public.decode('UTF-8') if decode2str else _key_public, } return dict_keygen
def __gen_cert(subject_name: str, cert_attributes: CertAttributes, ca_crt: Certificate, ca_pkey): now = datetime.datetime.utcnow() crypto_backend = crypto_default_backend() algorithm = hashes.SHA256() subject = cert_attributes.create_x509_attributes(subject_name) user_key = rsa.generate_private_key(public_exponent=65537, key_size=4096, backend=crypto_backend) csr = x509.CertificateSigningRequestBuilder().subject_name(subject).sign(user_key, algorithm, crypto_backend) crt = x509.CertificateBuilder() \ .subject_name(csr.subject).issuer_name(ca_crt.subject).public_key(csr.public_key()) \ .serial_number(x509.random_serial_number()) \ .not_valid_before(now).not_valid_after(now + datetime.timedelta(days=cert_attributes.valid_days)) \ .add_extension(extval=x509.KeyUsage(digital_signature=True, key_encipherment=True, content_commitment=True, data_encipherment=False, key_agreement=False, encipher_only=False, decipher_only=False, key_cert_sign=False, crl_sign=False), critical=True) \ .add_extension(extval=x509.BasicConstraints(ca=False, path_length=None), critical=True) \ .add_extension(extval=x509.AuthorityKeyIdentifier.from_issuer_public_key(ca_pkey.public_key()), critical=False) \ .sign(private_key=ca_pkey, algorithm=hashes.SHA256(), backend=crypto_backend) return { 'fqdn': subject_name, 'private_key': __serialize_private_key(user_key), 'cert_key': crt.public_bytes(encoding=crypto_serialization.Encoding.PEM).decode(DEFAULT_ENCODING), 'serial_number': f'{crt.serial_number:0>40X}' }
async def fetch_cert(url): try: # If the URL points to a certificate, then use it as it is. cert_pem = await fetch_text(url) parsed = cryptography.x509.load_pem_x509_certificate( cert_pem.encode("utf8"), backend=crypto_default_backend()) except ValueError: # Otherwise, fetch the SSL certificate from the (host, port). parsed_url = urlparse(url) host, port = (parsed_url.netloc, parsed_url.port or 443) loop = asyncio.get_event_loop() cert_pem = await loop.run_in_executor( None, lambda: ssl.get_server_certificate((host, port))) parsed = cryptography.x509.load_pem_x509_certificate( cert_pem.encode("utf8"), backend=crypto_default_backend()) return parsed
def encrypt_file(filepath): with open("./client_public_key.pem", "rb") as key_file: attacker_public_key = crypto_serialization.load_pem_public_key(key_file.read(), backend=crypto_default_backend()) with open(filepath, 'rb') as f: fileblob = f.read() enc_blob = encrypt_blob(fileblob, attacker_public_key) return enc_blob
def newkey(self): """Generate a RSA key.""" self.logger.log('Generating new key…', 1) self.key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) self.saveKey(self.configuration['ssh']['default_key'], self.configuration['ssh']['default_pubkey'])
def create_key_pair(key_cipher='rsa', key_format='openssh'): if key_cipher == 'rsa' and key_format == 'openssh': rsa_key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=4096) private_key = rsa_key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption()) public_key = rsa_key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH) elif key_cipher == 'rsa' and key_format == 'pem': rsa_key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=4096) private_key = rsa_key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption()) public_key = rsa_key.public_key().public_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PublicFormat.SubjectPublicKeyInfo) elif key_cipher == 'ec' and key_format == 'pem': # Ciphers: SECP384R1, SECP521R1 ec_key = ec.generate_private_key(ec.SECP521R1(), default_backend()) private_key = ec_key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption()) public_key = ec_key.public_key().public_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PublicFormat.SubjectPublicKeyInfo) else: s = f"Unsupported key cipher {key_cipher} and/or format {key_format}." print(s) return -1 return { 'private_key': private_key.decode('utf-8'), 'public_key': public_key.decode('utf-8'), 'key_cipher': key_cipher, 'key_format': key_format }
def rsa_key(): key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) return (key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH, ).decode("utf-8"))
def public_key_to_pem(self, private_key, public_key): key = crypto_serialization.load_pem_private_key( private_key, password=None, backend=crypto_default_backend()) return key.public_key().public_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PublicFormat.SubjectPublicKeyInfo )
def load_privkey(fh): _passphrase = passphrase if _passphrase is not None \ and not isinstance(_passphrase, bytes): _passphrase = _passphrase.encode('utf-8') return load_pem_private_key(fh.read(), password=_passphrase, backend=crypto_default_backend())
def test_create_keypair(self): resp = self.app.post('/compute/v2.0/os-keypairs', params=json.dumps(create_keypair_req(keypair1)), status=200) jresp = json.loads(resp.body) fingerprint = jresp['keypair']['fingerprint'] public_key = str(jresp['keypair']['public_key']) private_key = str(jresp['keypair']['private_key']) self.assertEqual(jresp, create_keypair_resp(keypair1, fingerprint=fingerprint, public_key=public_key, private_key=private_key)) # Encrypt a test message using the returned public key message = b'!!! test message' encrypted = crypto_serialization.load_ssh_public_key( public_key, backend=crypto_default_backend() ).encrypt( message, crypto_padding.OAEP( mgf=crypto_padding.MGF1(algorithm=crypto_hashes.SHA1()), algorithm=crypto_hashes.SHA1(), label=None ) ) # Decrypt the (encrypted) test message using the returned private key decrypted = crypto_serialization.load_pem_private_key( private_key, password=None, backend=crypto_default_backend() ).decrypt( encrypted, crypto_padding.OAEP( mgf=crypto_padding.MGF1(algorithm=crypto_hashes.SHA1()), algorithm=crypto_hashes.SHA1(), label=None ) ) # Verify the decrypted message self.assertEqual(decrypted, message)
def rsa_key(): key = rsa.generate_private_key( backend=crypto_default_backend(), public_exponent=65537, key_size=2048 ) return key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH ).decode('utf-8')
def get_key(self): response = self.ssm.get_parameter(Name=self.name_from_physical_resource_id(), WithDecryption=True) private_key = str(response['Parameter']['Value']) key = crypto_serialization.load_pem_private_key( private_key, password=None, backend=crypto_default_backend()) public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH ) return (private_key, public_key)
def create_key(self): key = rsa.generate_private_key( backend=crypto_default_backend(), public_exponent=65537, key_size=2048 ) private_key = key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption()) public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH ) return (private_key, public_key)
def create(self, keypair): """ create (or import) a keypair """ LOG.info('create(keypair=%s)', keypair) if 'public_key' in keypair: private_key = None try: public_key = ' '.join(keypair['public_key'].strip() .split(' ')[0:2]) except Exception: # pylint: disable=W0703 raise exception.Failure(reason='Invalid public key') else: # Generate a new keypair if the request doesn't contain a public # key key = crypto_rsa.generate_private_key( backend=crypto_default_backend(), public_exponent=65537, key_size=2048, ) private_key = key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption(), ) public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH, ) # Calculate the key fingerprint fp_plain = md5(b64decode(public_key.split()[1])).hexdigest() fp = ':'.join(a + b for (a, b) in zip(fp_plain[::2], fp_plain[1::2])) # Create the new keypair in the database new_keypair = self.db.keypairs.create(name=keypair['name'], fingerprint=fp, public_key=public_key) # Add the private key to the response if private_key is not None: new_keypair['private_key'] = private_key return new_keypair
def validate_signature(event, context, **kwargs): """Validate the signature of each collection. """ server_url = event["server"] bucket = event.get("bucket", "monitor") collection = event.get("collection", "changes") client = Client(server_url=server_url, bucket=bucket, collection=collection) print("Read collection list from {}".format(client.get_endpoint("collection"))) error_messages = [] checked_certificates = {} collections = client.get_records() # Grab server data in parallel. start_time = time.time() collections_data = [] with concurrent.futures.ThreadPoolExecutor( max_workers=PARALLEL_REQUESTS ) as executor: futures = [ executor.submit(download_collection_data, server_url, c) for c in collections ] for future in concurrent.futures.as_completed(futures): collections_data.append(future.result()) elapsed_time = time.time() - start_time print(f"Downloaded all data in {elapsed_time:.2f}s") for i, (collection, endpoint, metadata, records, timestamp) in enumerate( collections_data ): start_time = time.time() message = "{:02d}/{:02d} {}: ".format(i + 1, len(collections), endpoint) # 1. Serialize serialized = canonical_json(records, timestamp) data = b"Content-Signature:\x00" + serialized.encode("utf-8") # 2. Grab the signature try: signature = metadata["signature"] except KeyError: # Destination has no signature attribute. # Be smart and check if it was just configured. # See https://github.com/mozilla-services/remote-settings-lambdas/issues/31 client = Client( server_url=server_url, bucket=collection["bucket"], collection=collection["collection"], ) with_tombstones = client.get_records(_since=1) if len(with_tombstones) == 0: # It never contained records. Let's assume it is newly configured. message += "SKIP" print(message) continue # Some records and empty signature? It will fail below. signature = {} try: # 3. Verify the signature with the public key pubkey = signature["public_key"].encode("utf-8") verifier = ecdsa.VerifyingKey.from_pem(pubkey) signature_bytes = base64.urlsafe_b64decode(signature["signature"]) verified = verifier.verify(signature_bytes, data, hashfunc=hashlib.sha384) assert verified, "Signature verification failed" # 4. Verify that the x5u certificate is valid (ie. that signature was well refreshed) x5u = signature["x5u"] if x5u not in checked_certificates: resp = requests.get(signature["x5u"]) cert_pem = resp.text.encode("utf-8") cert = cryptography.x509.load_pem_x509_certificate( cert_pem, crypto_default_backend() ) assert ( cert.not_valid_before < datetime.now() ), "certificate not yet valid" assert cert.not_valid_after > datetime.now(), "certificate expired" subject = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[ 0 ].value # eg. ``onecrl.content-signature.mozilla.org``, or # ``pinning-preload.content-signature.mozilla.org`` assert subject.endswith( ".content-signature.mozilla.org" ), "invalid subject name" checked_certificates[x5u] = cert # 5. Check that public key matches the certificate one. cert = checked_certificates[x5u] cert_pubkey_pem = cert.public_key().public_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PublicFormat.SubjectPublicKeyInfo, ) assert ( unpem(cert_pubkey_pem) == pubkey ), "signature public key does not match certificate" elapsed_time = time.time() - start_time message += f"OK ({elapsed_time:.2f}s)" print(message) except Exception: message += "⚠ BAD Signature ⚠" print(message) # Gather details for the global exception that will be raised. signed_on = metadata["last_modified"] signed_on_date = timestamp_to_date(signed_on) timestamp_date = timestamp_to_date(timestamp) error_message = ( "Signature verification failed on {endpoint}\n" " - Signed on: {signed_on} ({signed_on_date})\n" " - Records timestamp: {timestamp} ({timestamp_date})" ).format(**locals()) error_messages.append(error_message) # Make the lambda to fail in case an exception occured if len(error_messages) > 0: raise ValidationError("\n" + "\n\n".join(error_messages))
import server.createdb pjoin = os.path.join data_dir = pjoin(os.getcwd(), 'data') print ("Creating Data Directories") mkpath(pjoin(data_dir, 'sketches')) mkpath(pjoin(data_dir, 'experiments')) mkpath(pjoin(data_dir, 'ssh-keys')) server.createdb.createdb(data_dir) print ("Creating SSH Keys") key = rsa.generate_private_key( backend=crypto_default_backend(), public_exponent=65537, key_size=2048 ) private_key = key.private_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.TraditionalOpenSSL, crypto_serialization.NoEncryption()) public_key = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH ) with open(pjoin(data_dir, 'ssh-keys', 'ssh_host_rsa_key.pub'), 'wb') as f: f.write(public_key)